Using an external identity provider with juju controllers

To setup a Juju Controller to use an external identity provider the identity provider needs to be configured at bootstrap time using the identity-url and allow-model-access settings. For example to bootstrap a controller that use the jujucharms identity provider do the following:

juju bootstrap google \
    --config identity-url= \
    --config allow-model-access=true

identity-url configures the URL of the external identity provider. The identity provider should be a candid server 1.

allow-model-access configures the controller to not check that a user has been explicitly added to the set of users known to the controller before checking if the user has access to a particular model.

1 Like

@martin-hilton thanks for this. I’m still a little confused how I would be able grant external users access to my controller:model using identity, it seems that users still need to exist locally on the controller. Possibly you have other thoughts around this?

You have to have the local admin account. They need to be able to run the controller. You can grant users on the remote identity system with the @external suffix like you do in JAAS I believe.

ahh, so pass around the yaml config files for the admin user to users that need access (via ? that doesn’t seem right, possibly I’m hearing you wrong.

Oh, I see. How do you get access there. Hmm, I think you’ll have to seed some info. Maybe you can try to login to the controller IP address? juju login xxxxxx ?

from another machine I try juju login

 ▶ juju login --debug
13:13:08 INFO  juju.cmd supercommand.go:56 running juju [2.4.2 gc go1.10]
13:13:08 DEBUG juju.cmd supercommand.go:57   args: []string{"/snap/juju/5070/bin/juju", "login", "", "--debug"}
13:13:08 DEBUG juju.api apiclient.go:729 looked up -> []
ERROR cannot log into "": unable to connect to API: x509: certificate signed by unknown authority
13:13:08 DEBUG cmd supercommand.go:459 error stack: 
x509: certificate signed by unknown authority unable to connect to API cannot log into ""

@martin-hilton How can I allow external users to register/ login to a controller that uses for identity?

@jamesbeedy You’re doing the right thing here, the problem is that your second juju doesn’t trust the certificate generated by the first one. The easiest way to make this work is to set your controller up with Let’s encrypt certificates as well. I won’t repeat all of @rick_h’s instructions 1 here, but the command line will end up something like:

$ juju bootstrap google jujushow-dns --config \
    --config identity-url= \
    --config allow-model-access=true

The command I used to bootstrap:

juju bootstrap manual/ juju-controller-manual \
    --config identity-url= \
    --config allow-model-access=true \
    --config \
    --bootstrap-series bionic

@martin-hilton the issue is that I have no idea how to register and login as an external identity user to my controller.

@martin-hilton any ideas on this part of the process?

Any progress on this? I think we have a similar situation.

– Update –
We messed up for our part by not first granting access to the controller, along granting access to the desired model.

Something like below:

$ juju grant USER@global mycontroller login # Allow username login to controller
$ juju grant admin USER@global mymodel # Allow admin to model

1 Like

I’ve also tried without success to use to authenticate external users. I tried many login command permutations. The one that I was told should work was:

juju login -c <controller name>

Site told me my user was logged in but the result was always:

ERROR cannot log into controller "aws-sso": invalid entity name or
password (unauthorized access)

You need to first grant login access to the controller.

Then, grant access to models.


My previous understanding was that controller key allow-model-access obviated the need to grant login access. After re-reading Martin’s definition above I see that I was wrong. This key bypasses a local user check when a model connection is attempted. After granting login access it worked.